Closed
Bug 325929
Opened 19 years ago
Closed 19 years ago
Using calendar (0.2 based build) bypasses master password security in Thunderbird mail
Categories
(Calendar :: Sunbird Only, defect)
Tracking
(Not tracked)
VERIFIED
INVALID
People
(Reporter: knobcottage, Unassigned)
Details
(Keywords: privacy)
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.0; en-GB; rv:1.8.0.1) Gecko/20060111 Firefox/1.5.0.1 Build Identifier: Thunderbird 1.5 20051201 OK If i set a master password to protect all of the passowrds in password manager and then click the show password button I am requested for a master password, because I set a master password. However, if I go and open the calendar and go to password manager there I see the same dialogue. If I push the show password button, which is greyed out, it shows my mail passwords WITHOUT requiring a master password. Basically it bypasses the security in the main programme. OOps! Reproducible: Always Steps to Reproduce: 1. Set master password in the mail programme 2. Open calendar. Open manage passwords there. 3. Click on greyed out show password button and hey presto there they are!! Actual Results: as above Expected Results: my password protection in teh main programme is bypassed asked for my master password
|
||
Comment 1•19 years ago
|
||
Which Calendar, which version? The Calendar extension version 0.2.2006011612-cal in Thunderbird does the right thing for me. This is a privacy problem, but not a security exploit. Clearing confidential flag to get more exposure.
Assignee: dveditz → nobody
Group: security
Component: Security → Sunbird and Calendar-Extension Front End
Keywords: privacy
QA Contact: calendar → sunbird
Whiteboard: [sg:needinfo]
|
Reporter | |
Comment 2•19 years ago
|
||
....in reply to Daniel Veditz the calendar version that causes the "privacy issue",is "mozilla_calendar-0.2.0.20060116-fx+tb-windows.xpi". It does this on windows 2000 if that makes any difference. (I don't think it does) and it does it every time.
|
||
Comment 3•19 years ago
|
||
(In reply to comment #2) > ....in reply to Daniel Veditz the calendar version that causes the "privacy > issue",is "mozilla_calendar-0.2.0.20060116-fx+tb-windows.xpi". It does this on > windows 2000 if that makes any difference. (I don't think it does) and it does > it every time. > That's an old version of the calendar code that isn't being updated. The version Daniel describes is the updated code. This is invalid in my opinion.
|
|
Reporter | |
Comment 4•19 years ago
|
||
It may be an "older version of the code" but it's the current one people are downloading from: http://www.mozilla.org/projects/calendar/download.html I have, to the best of my knowledge, no access to the newer version, and I don't think it is invalid until the version which Daniel has replaces the version that is currently available for download.
|
||
Comment 5•19 years ago
|
||
(In reply to comment #4) > It may be an "older version of the code" but it's the current one people are > downloading from: > > http://www.mozilla.org/projects/calendar/download.html There is a newer version available on that page, the experimental nightly. Also please read http://www.mozilla.org/projects/calendar/download.html#experimental_stable especially the last sentence: "Stable builds are based on the one-year old code from Sunbird 0.2. This code was well tested and those builds are recommended for those users, that are satisfied with the state of the Calendar extension for Firefox or Thunderbird 1.0. Please be aware that no new features have been developed for these builds and we do not accept bug reports for these builds." -> INVALID
Status: UNCONFIRMED → RESOLVED
Closed: 19 years ago
Resolution: --- → INVALID
Summary: Using calendar bypasses master password security in Thunderbird mail. → Using calendar (0.2 based build) bypasses master password security in Thunderbird mail
Whiteboard: [sg:needinfo]
|
|
Reporter | |
Comment 6•19 years ago
|
||
well I think I need to finsish here. I am only a "joe soap" user and I thought that installing the calendar extension in thunderbird, that is the one that was avaialbe for download, would be safe. I do not consider it to be so if it gives easy acces to my pop3 passwords. If I am yto believe what I read then it is a "privacy" problem and not a "security" problem and now it is "invalid", especially if I use an "experimental build". Whilst I understand your commentsI do not accept what you say. For me it IS a "security" problem, and it is "valid". I was try ing to help iron out something which quite frankly shocked me. I will uninstall the extension, NOT use the experimental nightly, and seriously reconsider my recent adoption of Thunderbird, as I now wonder what other "things I may find. Sorry if I appear rude, but I did take the time and trouble to help and feel that you have snubbed me. The average user will not take this as invlaid, as the average user does not use the nightly experimental.
Status: RESOLVED → UNCONFIRMED
Resolution: INVALID → ---
|
|
||
Comment 7•19 years ago
|
||
It is not a bug in software that a problem that has been fixed doesn't have a release build with it fixed. That is the nature of a release schedule. Firefox 1.5.0.1 has bugs that have been fixed in trunk builds. IE-6 has bugs that have been fixed in IE-7. Calendar 0.2.0 has bugs that have been fixed in nightly builds. Your options are: (1) Use calendar 0.2.0 with the bug (2) Use the experimental build with the bug fixed (and other bugs present) (3) Use Lighting with the bug fixed (and other bugs) (4) Use Sunbird (5) Don't use a Mozilla Calendar Under no circumstances does this bug provide information that developers can do anything with. They have fixed the bug. -> INVALID.
Status: UNCONFIRMED → RESOLVED
Closed: 19 years ago → 19 years ago
Resolution: --- → INVALID
|
||
Comment 8•19 years ago
|
||
Reporter: Please don't take the status "INVALID" literally. This is mostly a bugzilla term which in this case reflects that there is nothing more to be done about the reported bug. What you have reported was certainly a 'valid' and important bug at some point. It has been taken care of and the fix will appear in the next release once it's ready. As jminta pointed out it's the nature of the software releasing process to cope with existing bugs in between releases and suggesting the installation of the latest nightly is simply a logical alternative. So we do thank you for the time you have taken to prepare the bug report and hope that the next release will address your concern. Thus I would like to complete number 5 in the previous comment with "... until the next release".
Status: RESOLVED → VERIFIED
|
|
Reporter | |
Comment 9•19 years ago
|
||
OK, sorry perhaps just not used to bugzilla talk. Do remember though that the people who may report the bugs are not seaosoned bugzilla folks and might not take kindly to the bugzilla talk. From this side it feels like my head has been bitten off. I followed the protocol, checked to see if it had been reported, checked to see if the non-experiemntal version was still the one that caused the problem and all I got was: "this is invalid" "does not happen with the experimental version" "it is of no value to the programmers" I do understand things from your side, my informatin was of no use. However thanks especially to Mostafa Hosseini for translating bugzilla talk into everyday English! ;-))
You need to log in
before you can comment on or make changes to this bug.
Description
•